Remote Attacker Tampers with Florida Water Facility
By Michael Mimoso | Feb. 8, 2021
A remote attack Friday against a water treatment facility in Florida will reinforce the need for defenders to be vigilant about the security of internet-facing connections of critical infrastructure.
The facility in Oldsmar, Fla., was accessed twice on Friday, according to city officials and law enforcement via a compromised version of TeamViewer, a legitimate remote access solution used for technical support. The second intrusion at 1:30 p.m., five-and-a-half hours after the first, saw the attacker change levels of sodium hydroxide in residential and commercial drinking water from 100 parts-per-million to 11,100 parts-per-million. Sodium hydroxide, or lye, is added to water to control acidity and remove certain metals from the water; lye is the primary agent in drain cleaner and is a caustic substance that is dangerous if consumed.
An operator who saw the first intrusion at 8 a.m., dismissed it as perhaps a supervisor accessing a system for monitoring, officials said. The same operator said they witnessed during the second intrusion the attacker controlling the systems for up to five minutes, accessing several applications, including the chemical process they were able to alter.
Upon exiting the system, the operator was able to bring the levels back down to normal; redundancies in the system and other safeguards would have prevented the tainted water from reaching residents and businesses regardless, officials said.
“The public was never in danger,” Pinellas County Sheriff Bob Gualtieri said.
The compromised system was password protected, officials said, indicating that a weak credential was leveraged, or a stolen password was used to access the facility.
Critical infrastructure risks in 2021 have been elevated on a number of fronts, largely because of the COVID-19 pandemic. Most companies, utilities in particular, have been forced to increase the number of remote connections to critical systems for maintenance and updates, simultaneously increasing demands for remote access along with an organization’s exposure.
Water and wastewater facilities, specifically, continue to be one of the most at-risk critical infrastructure sectors; Claroty’s recently released Biannual ICS Risk & Vulnerability Report for the second half of 2020 pointed out that water and wastewater software vulnerabilities increased 54 percent year-over-year from 2019. More security researchers than ever are disclosing exploitable flaws in these systems in order to have them mitigated, and more threat actors than ever are looking at industrial control systems as targets.
In April 2020, Israel’s Water Authority was targeted in a large-scale attack. Hackers attempted to access the command and control systems of wastewater treatment plants, pumping stations, and sewage infrastructure. A statement from the Water Authority and National Cyber Directorate reported the incident appeared to be coordinated, but no damage had occurred. Password resets were mandated and control software updated; some systems were disconnected from the internet if they could not be updated.
Small water utilities—Oldsmar is a city of 15,000—are not generally well-resourced with robust security programs. In this attack, the threat actor not only was able to access a password-protected TeamViewer connection, but also understood how the plant operated and was intent on changing this crucial safety process.
Ideally, a risk assessment should include a thorough understanding of external and internal threats, potential attack vectors, and a thoughtful approach to education, secure architecture, controls, processes, and monitoring.
Technology that monitors process values and provides visibility into abnormal value readings at the lowest levels of the Purdue Model—controllers, sensors, and other field devices—are essential to alert operators to potential intrusions, and threats to the availability and safety of services.
Remote access solutions specifically designed for operational technology networks are also essential to heading off the risks posed by attacks such as the one in Florida. Not only would such a technology allow for remote troubleshooting from anywhere, but also allow only authorized users to create and permit remote sessions, as well as shut down a remote session if there were alerts or policy violations.
Visibility into network assets is a foundational strategy for the security of industrial networks. In this case, such visibility could help detect unauthorized remote connections. Products such as TeamViewer and VNC are sold as enterprise offerings, but often they are used ad-hoc, with free versions of the product popping up in user environments as shadow IT, sometimes to support a third-party connection or specific process. These instances must be configured using policy-based access controls that manage access for designated operators.